The Yahoo Breach Was Actually Three Billion Accounts

When Yahoo disclosed in December that a billion (yes, billion) of its users’ accounts had been compromised in an August 2013 breach, it came as a staggering revelation. Now, 10 months later, the company would like to make a correction: That incident actually exposed three billion accounts—every Yahoo account that existed at the time.

On the one hand, this new information doesn’t really change things in a practical sense, because the initial billion account estimate was already enormous—you could safely assume you were impacted—and Yahoo took protective steps for all users in December, like resetting passwords and unencrypted security questions. On the other hand, three billion accounts.

“They are as big as it gets,” says Jeremiah Grossman, who worked as an information security officer at Yahoo for two years in the early 2000s and is now the chief of security strategy at SentinelOne. “Maybe Google or maybe Facebook, but the next mega-breach is not going to be orders of magnitude bigger.””

In this case, it took Yahoo three years to discover and disclose the breach, and almost four years to complete the investigation. And let’s not confuse all of that with a separate Yahoo breach perpetrated in late 2014, and not disclosed until September 2016, that impacted 500 million accounts. That alone still holds as the second-biggest known breach of all time, in terms of impacted users. (One could argue that the recent Equifax breach, which impacted 145.5 million people, will ultimately have greater negative overall impact because of the particular sensitivity of the data involved.)

The most recent disclosure also comes after Yahoo’s recent acquisition by Verizon and subsequent merger with AOL. Disclosing two enormous breaches back to back at the end of 2016 put a strain on the acquisition process, and even reportedly led Verizon to demand a price reduction.

Even though three billion sounds like a dramatic number, Grossman argues that it shouldn’t come as a surprise. “To everybody on the outside, it looked to us when we originally read all the information that [the breach] must have impacted all the accounts,” he says. The attackers “got so deep in the system, I couldn’t imagine why certain accounts would have been affected and not others.”

Yahoo published information about the revision on its Account Security Update page, attempting to clarify the timeline of events. “Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” the company wrote.

The update from Yahoo is a new high—that is to say, a new low—in terms of mega-breach scale. Think of it this way: On Monday, Equifax faced warranted criticism when it revised the number of people affected by its massive data breach from 143 million to 145.5 million. Yahoo’s adjustment weighs in at 800 times that. The silver lining, one imagines, is that it quite literally can’t get any worse.